AWS API Key Compromised
- Former user (Deleted)
Analytics
The AWS API Key Compromised alert detects credentials that may have been leaked on the internet. Once AWS detects your API credentials have been exposed on the internet
AWS will send the account owner the following information
We have detected activity that indicates your AWS account has been compromised. Please take the necessary steps to re-secure your account.
To protect you from unauthorized usage and charges, failure to reply or follow these steps within five days may result in the suspension of your account, and disruption of AWS service.
To re-secure your account, please update your root account password, rotate and delete all your AWS Access Keys (including the Access Keys that were not exposed and/or compromised), check your account for unauthorized usage in all regions and then respond to this notification within five days to avoid your account from being suspended.
1) Change your root user password:
https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.aws.amazon.com_IAM_latest_UserGuide_id-5Fcredentials-5Faccess-2Dkeys-5Fretrieve.html-23reset-2Droot-2Dpassword&d=DwICaQ&c=009klHSCxuh5AI1vNQzSO0KGjl4nbi2Q0M1QLJX9BeE&r=zEfiJJeVA8xXdGR-XFltm5MIcKP2vX2ouUnVw22nJsg&m=u0k4jyMLCQf8iJjbZPPnONBnQLbQAic45Mi-2s6hk9k&s=bXjWitqml0EMKQQ4C9ZbIbC9Fks3EKtFpjVX9LpKvVE&e= (If you are not already signed in as the root user)
https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.aws.amazon.com_IAM_latest_UserGuide_id-5Fcredentials-5Fpasswords-5Fchange-2Droot.html&d=DwICaQ&c=009klHSCxuh5AI1vNQzSO0KGjl4nbi2Q0M1QLJX9BeE&r=zEfiJJeVA8xXdGR-XFltm5MIcKP2vX2ouUnVw22nJsg&m=u0k4jyMLCQf8iJjbZPPnONBnQLbQAic45Mi-2s6hk9k&s=PVVUVw2w_tYUnOPC8ubPyVKRIBkx7bLM83gUBN2e-mo&e= (If you are already signed in as the root user)
2) Rotate the keys:
If your application uses the access key, you need to replace the exposed key with a new one. To do this, first create a second key (at that point both keys will be active) and modify your application to use the new key.
Then disable (but do not delete) the first key. If there are any problems with your application, you can make the first key active again. When your application is fully functional with the first key inactive, please delete the first key.
3) Delete all keys created prior to compromise date (root account):
If you are not using the access key, you can simply delete it. To delete the exposed key, visit the "Security Credentials" page here:
https://urldefense.proofpoint.com/v2/url?u=https-3A__console.aws.amazon.com_iam_home-23security-5Fcredential&d=DwICaQ&c=009klHSCxuh5AI1vNQzSO0KGjl4nbi2Q0M1QLJX9BeE&r=zEfiJJeVA8xXdGR-XFltm5MIcKP2vX2ouUnVw22nJsg&m=u0k4jyMLCQf8iJjbZPPnONBnQLbQAic45Mi-2s6hk9k&s=kZuqiOh1dMUwxwrXTJjvw3RxZBi1BuiohoMABRZXKm8&e=
Your keys will be listed in the "Access Keys" section.
4) Delete all keys created prior to compromise date (IAM users):
Navigate to your IAM Users list in the AWS Management Console, here:
https://urldefense.proofpoint.com/v2/url?u=https-3A__console.aws.amazon.com_iam_home-23users&d=DwICaQ&c=009klHSCxuh5AI1vNQzSO0KGjl4nbi2Q0M1QLJX9BeE&r=zEfiJJeVA8xXdGR-XFltm5MIcKP2vX2ouUnVw22nJsg&m=u0k4jyMLCQf8iJjbZPPnONBnQLbQAic45Mi-2s6hk9k&s=xyWqbm7PoMiS9BCPqRovb-FYM3v10zGu0etWZwno4AE&e= . Please select the IAM user identified above.
Click on the "User Actions" drop-down menu and then click "Manage Access Keys" to show that user's active Access Keys. Click "Delete" next to the access key identified above.
We strongly recommend that you follow the Best Practices of Managing your Access Keys at:
https://urldefense.proofpoint.com/v2/url?u=http-3A__docs.aws.amazon.com_general_latest_gr_aws-2Daccess-2Dkeys-2Dbest-2Dpractices.html&d=DwICaQ&c=009klHSCxuh5AI1vNQzSO0KGjl4nbi2Q0M1QLJX9BeE&r=zEfiJJeVA8xXdGR-XFltm5MIcKP2vX2ouUnVw22nJsg&m=u0k4jyMLCQf8iJjbZPPnONBnQLbQAic45Mi-2s6hk9k&s=Y7TE45bz12CD5UX-u-uwY8Q11FxqJXCudiNjDt4piGA&e=
5) Check for unauthorized usage and delete any unrecognized or unauthorized resources:
We strongly encourage you to review your AWS account for any unauthorized AWS usage, suspect running instances, or inappropriate IAM roles, users and policies. To check the usage, please log into your AWS Management Console and go to each service page to see what resources are used. Please pay special attention to the running EC2 instances and IAM users, roles, and groups. You can also check for any unexpected usage on the "Bills" page in the Billing console.
https://urldefense.proofpoint.com/v2/url?u=https-3A__console.aws.amazon.com_billing_home-23_bill&d=DwICaQ&c=009klHSCxuh5AI1vNQzSO0KGjl4nbi2Q0M1QLJX9BeE&r=zEfiJJeVA8xXdGR-XFltm5MIcKP2vX2ouUnVw22nJsg&m=u0k4jyMLCQf8iJjbZPPnONBnQLbQAic45Mi-2s6hk9k&s=gQnFuaqU3Ep8K25eFTkckPW1lpMrX9m2XSb8aMqd2To&e=
Please keep in mind that unauthorized usage can occur in any region and that in your console you only see one region at a time. To switch between regions, you can use the dropdown in the top-right corner of the console screen.
For information on how to delete a resource associated with a particular AWS service, please see our documentation for the specific service at the link below:
https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.aws.amazon.com_index.html-23lang_en-5Fus&d=DwICaQ&c=009klHSCxuh5AI1vNQzSO0KGjl4nbi2Q0M1QLJX9BeE&r=zEfiJJeVA8xXdGR-XFltm5MIcKP2vX2ouUnVw22nJsg&m=u0k4jyMLCQf8iJjbZPPnONBnQLbQAic45Mi-2s6hk9k&s=G_xVDGZ72HxV4YFfLsSCu0Vfvf8hacKL8bJoDazTUrU&e=
Please make sure that no termination protection or any other back-up restoration system such as ELB or AutoScaling groups is enabled on the resources you want to delete.
Reference: